Auto unlock not working with sssd

[hadogenes]

I used these instructions (on manjaro)

• fscrypt - https://wiki.archlinux.org/index.php/Fscrypt
• sssd - https://wiki.archlinux.org/index.php/LDAP_authentication#PAM_Configuration
  but the auto unlock feature does not work yet.

Auto unlocking after login works only for local users.

This is probably due to some pam issue.

Here is /etc/pam.d/system-login

#%PAM-1.0

auth       required   pam_tally2.so        onerr=succeed file=/var/log/tallylog
auth       required   pam_shells.so
auth       requisite  pam_nologin.so
auth       include    system-auth
auth       optional   pam_fscrypt.so    debug

account    required   pam_tally2.so 
account    required   pam_access.so
account    required   pam_nologin.so
account    include    system-auth

password   include    system-auth

session    optional   pam_loginuid.so
session    optional   pam_keyinit.so       force revoke
session    include    system-auth
session    optional   pam_motd.so          motd=/etc/motd
session    optional   pam_mail.so          dir=/var/spool/mail standard quiet
-session   optional   pam_systemd.so
session    required   pam_env.so
session    optional   pam_fscrypt.so       debug drop_caches lock_policies

/etc/pam.d/system-auth

#%PAM-1.0

auth      sufficient pam_sss.so forward_pass
auth      required  pam_unix.so     try_first_pass nullok
auth      optional  pam_permit.so
auth      required  pam_env.so

account   [default=bad success=ok user_unknown=ignore authinfo_unavail=ignore] pam_sss.so
account   required  pam_unix.so
account   optional  pam_permit.so
account   required  pam_time.so

password  sufficient pam_sss.so use_authtok
password  required   pam_unix.so     try_first_pass nullok sha512 shadow
password  optional   pam_permit.so

session   required  pam_mkhomedir.so skel=/etc/skel/ umask=0077
session   required  pam_limits.so
session   required  pam_unix.so
session   optional  pam_sss.so
session   optional  pam_permit.so

/etc/pam.d/passwd

#%PAM-1.0
password        sufficient      pam_sss.so
#password       required        pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
#password       required        pam_unix.so sha512 shadow use_authtok
password        required        pam_unix.so sha512 shadow nullok
password        optional        pam_fscrypt.so

/etc/pam.d/fscrypt
I had to add line "auth sufficient pam_sss.so", because the fscrypt encrypt wouldn't work

# Allow fscrypt to check your login passphrase when you create a login protector
auth            sufficient      pam_sss.so    forward_pass
auth            required        pam_unix.so

journalctl -f | grep fscrypt

pam_fscrypt[2836]: OpenSession(map[debug:true drop_caches:true lock_policies:true]) starting
pam_fscrypt[2836]: Session count for UID=115800001 updated to 2
pam_fscrypt[2836]: Current privs (real, effective): uid=(0,0) gid=(0,0) groups=[90 962 986 115800000 115800001 115800009]
pam_fscrypt[2836]: Setting euid=115800001 egid=115800001 groups=[115800001 986 90 962 115800000 115800009]
pam_fscrypt[2836]: Current privs (real, effective): uid=(0,115800001) gid=(0,115800001) groups=[90 962 986 115800000 115800001 115800009]
pam_fscrypt[2836]: Reading config from "/etc/fscrypt.conf"
pam_fscrypt[2836]: creating context for user "user"
pam_fscrypt[2836]: stat /run/user/0/gvfs: permission denied
pam_fscrypt[2836]: ignoring mountpoint "/run/user/0/gvfs" because it is not a directory
pam_fscrypt[2836]: found ext4 filesystem "/" (/dev/dm-0)
pam_fscrypt[2836]: listing descriptors in "/.fscrypt/protectors"
pam_fscrypt[2836]: found 1 descriptor(s)
pam_fscrypt[2836]: successfully read metadata from "/.fscrypt/protectors/8d21960b8c50f397"
pam_fscrypt[2836]: Getting protector 8d21960b8c50f397 from option
pam_fscrypt[2836]: successfully read metadata from "/.fscrypt/protectors/8d21960b8c50f397"
pam_fscrypt[2836]: listing descriptors in "/.fscrypt/policies"
pam_fscrypt[2836]: found 0 descriptor(s)
pam_fscrypt[2836]: following protector link /home/.fscrypt/protectors/8d21960b8c50f397.link
pam_fscrypt[2836]: successfully read metadata from "/.fscrypt/protectors/8d21960b8c50f397"
pam_fscrypt[2836]: listing descriptors in "/home/.fscrypt/policies"
pam_fscrypt[2836]: found 1 descriptor(s)
pam_fscrypt[2836]: successfully read metadata from "/home/.fscrypt/policies/f05f1eb5c7f024e1b4c520615992e56d"
pam_fscrypt[2836]: got data for f05f1eb5c7f024e1b4c520615992e56d from "/home"
pam_fscrypt[2836]: stat /run/user/0/.fscrypt: permission denied
pam_fscrypt[2836]: stat /run/user/0/.fscrypt/policies: permission denied
pam_fscrypt[2836]: stat /run/user/0/.fscrypt/protectors: permission denied
pam_fscrypt[2836]: stat /run/user/967/.fscrypt: permission denied
pam_fscrypt[2836]: stat /run/user/967/.fscrypt/policies: permission denied
pam_fscrypt[2836]: stat /run/user/967/.fscrypt/protectors: permission denied
pam_fscrypt[2836]: stat /sys/firmware/efi/efivars/.fscrypt: invalid argument
pam_fscrypt[2836]: stat /sys/firmware/efi/efivars/.fscrypt/policies: invalid argument
pam_fscrypt[2836]: stat /sys/firmware/efi/efivars/.fscrypt/protectors: invalid argument
pam_fscrypt[2836]: stat /sys/fs/bpf/.fscrypt: permission denied
pam_fscrypt[2836]: stat /sys/fs/bpf/.fscrypt/policies: permission denied
pam_fscrypt[2836]: stat /sys/fs/bpf/.fscrypt/protectors: permission denied
pam_fscrypt[2836]: stat /sys/fs/pstore/.fscrypt: permission denied
pam_fscrypt[2836]: stat /sys/fs/pstore/.fscrypt/policies: permission denied
pam_fscrypt[2836]: stat /sys/fs/pstore/.fscrypt/protectors: permission denied
pam_fscrypt[2836]: stat /sys/kernel/debug/.fscrypt: permission denied
pam_fscrypt[2836]: stat /sys/kernel/debug/.fscrypt/policies: permission denied
pam_fscrypt[2836]: stat /sys/kernel/debug/.fscrypt/protectors: permission denied
pam_fscrypt[2836]: stat /sys/kernel/tracing/.fscrypt: permission denied
pam_fscrypt[2836]: stat /sys/kernel/tracing/.fscrypt/policies: permission denied
pam_fscrypt[2836]: stat /sys/kernel/tracing/.fscrypt/protectors: permission denied
pam_fscrypt[2836]: unlocking 1 policies protected with AUTHTOK
pam_fscrypt[2836]: Setting euid=0 egid=0 groups=[90 962 986 115800000 115800001 115800009]
pam_fscrypt[2836]: Current privs (real, effective): uid=(0,0) gid=(0,0) groups=[90 962 986 115800000 115800001 115800009]
pam_fscrypt[2836]: OpenSession(map[debug:true drop_caches:true lock_policies:true]) failed: unlocking protector 8d21960b8c50f397: AUTHTOK data missing: No module specific data is present

[hadogenes]

After changing auth section in /etc/pam.d/system-login to

auth       required   pam_tally2.so        onerr=succeed file=/var/log/tallylog
auth       required   pam_shells.so
auth       requisite  pam_nologin.so
auth       optional   pam_fscrypt.so    debug
auth       include    system-auth

(move "auth optional pam_fscrypt.so" before "auth include system-auth")

is working as expected

[josephlr]

@hadogenes I tried your fix (of moving pam_facrypt before system-auth) but that caused autounlocking to fail for me. I'm also on Arch Linux, so it seems weird that it would work for you and fail for me.

[hadogenes]

Ok, after some testing I finally find it
earlier I had also pam_mount module, but it wasn't doing anything (empty configuration), but it was doing the thing
I don't want to write the details but to work I had to set some changes:

system-login as wiki says
Here is /etc/pam.d/system-login

auth       required   pam_tally2.so        onerr=succeed file=/var/log/tallylog
auth       required   pam_shells.so
auth       requisite  pam_nologin.so
auth       include    system-auth
auth       optional   pam_fscrypt.so

but the system-auth

auth      required  pam_env.so
auth      sufficient  pam_unix.so     try_first_pass nullok
auth      required pam_sss.so forward_pass
auth      optional  pam_permit.so

(change pam_unix.so to sufficient and pam_sss.so to required)

Now the fscrypt works for sssd users, but don't work for local users (in my case only root)

[josephlr]

This makes sense (and is behaving "as expected"). However, I am worried about how brittle the PAM configurations can be.

Closing this, but improving this story is tracked in #95

[hadogenes]

With new pam version
system-auth

#%PAM-1.0

auth       required                    pam_faillock.so      preauth
# Optionally use requisite above if you do not want to prompt for the password
# on locked accounts.
auth       [success=3 default=ignore]  pam_sss.so forward_pass
auth       [success=2 default=ignore]  pam_unix.so          try_first_pass nullok
-auth      [success=1 default=ignore]  pam_systemd_home.so
auth       [default=die]               pam_faillock.so      authfail
auth       optional                    pam_permit.so
auth       required                    pam_env.so
auth       required                    pam_faillock.so      authsucc
# If you drop the above call to pam_faillock.so the lock will be done also
# on non-consecutive authentication failures.

-account   [success=2 default=ignore]  pam_systemd_home.so
account    [default=bad success=ok user_unknown=ignore authinfo_unavail=ignore] pam_sss.so
account    required                    pam_unix.so
account    optional                    pam_permit.so
account    required                    pam_time.so

-password  [success=2 default=ignore]  pam_systemd_home.so                                                                                                                                                         
password   sufficient                  pam_sss.so           use_authtok
password   required                    pam_unix.so          try_first_pass nullok shadow
password   optional                    pam_permit.so

session    required                    pam_limits.so
session    required                    pam_unix.so
session    optional                    pam_sss.so
session    optional                    pam_permit.so